diff --git a/fail2ban/server/filter.py b/fail2ban/server/filter.py index 86c6648e..68968284 100644 --- a/fail2ban/server/filter.py +++ b/fail2ban/server/filter.py @@ -794,6 +794,8 @@ class Filter(JailThread): # be sure we've correct current state ('nofail' and 'mlfgained' only from last failure) if mlfidGroups.pop('nofail', None): nfflgs |= 4 if mlfidGroups.pop('mlfgained', None): nfflgs |= 4 + # gained resets all pending failures (retaining users to check it later) + if nfflgs & 8: mlfidGroups.pop('mlfpending', None) # if we had no pending failures then clear the matches (they are already provided): if (nfflgs & 4) == 0 and not mlfidGroups.get('mlfpending', 0): mlfidGroups.pop("matches", None) diff --git a/fail2ban/tests/fail2banregextestcase.py b/fail2ban/tests/fail2banregextestcase.py index bc799b84..e300f315 100644 --- a/fail2ban/tests/fail2banregextestcase.py +++ b/fail2ban/tests/fail2banregextestcase.py @@ -514,6 +514,27 @@ class Fail2banRegexTest(LogCaptureTestCase): '192.0.2.1, git, '+lines[-1], all=True) + def testOutputNoPendingFailuresAfterGained(self): + unittest.F2B.SkipIfCfgMissing(stock=True) + # connect finished without authorization must generate a failure, because + # connect started will produce pending failure which gets reset by gained + # connect authorized. + self.assertTrue(_test_exec('-o', 'failure from == ==', + '-c', CONFIG_DIR, '-d', '{NONE}', + 'svc[1] connect started 192.0.2.3\n' + 'svc[1] connect finished 192.0.2.3\n' + 'svc[2] connect started 192.0.2.4\n' + 'svc[2] connect authorized 192.0.2.4\n' + 'svc[2] connect finished 192.0.2.4\n', + 'common[prefregex="^svc\[\d+\] connect .+$"' + ', failregex="' + '^started\n' + '^finished \n' + '^authorized ' + '", maxlines=1]' + )) + self.assertLogged('failure from == 192.0.2.3 ==') + self.assertNotLogged('failure from == 192.0.2.4 ==') def testWrongFilterFile(self): # use test log as filter file to cover eror cases...